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Abstract 



This thesis includes a survey of the results known for private and approximate private 
quantum channels. We develop the best known upper bound for e-randomizing maps, 
n + 21og(l/e) + c bits required to e-randomize an arbitrary n-qubit state by improving 
a scheme of Ambainis and Smith [5] based on small bias spaces |16l [3]. We show by a 
probabilistic argument that in fact the great majority of random schemes using slightly 
more than this many bits of key are also e-randomizing. We provide the first known non- 
trivial lower bound for e-randomizing maps, and develop several conditions on them which 
we hope may be useful in proving stronger lower bounds in the future. 
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Chapter 1 
Introduction 



1.1 Preface 

Secure communication has long been a concern. The advent of computers revolutionized 
the field of cryptography, and quantum computation promises to do so again. Quantum 
computers threaten to render obsolete modern public key cryptography, while quantum 
cryptography offers the prospect of unconditionally secure communication. 

Traditionally, studies of communication have assumed that one would wish to transmit 
classical data. In a world in which quantum information is on the rise, it is natural 
to think about what might happen if instead one considers messages that are quantum 
in nature. That is, what if one should wish to transmit a quantum state in security? 
This thesis addresses this question. In particular, we give an exposition of the known 
results for private quantum channels and for approximate private quantum channels. Our 
contributions are to the theory of the latter. We have improved the best known upper 
bounds for explicit, efficient construction of approximate private quantum channels, and 
provide the first known non-trivial lower bound. We have also worked on establishing 
tighter lower bounds. 

Private Quantum Channels, and their approximate variants, use a classical key to 
encrypt quantum states. There are several reasons for considering schemes using a classical 
key. While it is possible to transmit quantum states in perfect security using quantum 
teleportation, this requires that the communicating parties have access to the resource of 
shared entanglement. Classical information is much less volatile than quantum states, being 
immune to decoherence, and thus is (comparatively) easily maintained. One can envision 
situations in which rather than having two parties communicate, one person wishes to store 
a state securely for future access. Perhaps quantum "hard drive", i.e., long term storage 
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of quantum information, will be expensive, and provided in communal storage facilities. If 
one does not trust the provider of such a service not to attempt to gain access to the stored 
information, one could store an encrypted version. In such situations it is clearly beneficial 
to have an easily maintained key. Further, techniques such as quantum key distribution 
provide classical random keys. 

In a broader context, studying randomization can provide insights into the way that 
noise affects quantum computation, and about the connections between classical and quan- 
tum information. 



1.2 Notation and Conventions 

For the Pauli Eigenvectors flA.1.2p . we use several notations, depending on the context. 



|0) = 




\+z) 






\-z) 




|0> + |1> 


= \+x) 




|o>-|i> 

V2 


= \-x) 


+i) = 


|0>+i|l> 
V2 


= \+y) 


—i) = 


|0>-i|l> 
V2 


= \-y) 



Density operators will be represented by greek characters, usually p for mixed states, 
and and ifj for pure states, though for pure states we will usually prefer 

Let a be an n-bit string. Then for an operator P, we will say P° = I and = P and 
define 



pa 



paj 



Using the notation Vn for Pauli operators on n qubits, we note that for any Pauli operator 
P G Vn, we have P = aX"-Z^ for some strings a, 6 and a G {1, — — «}. We will often 
ignore the initial phase factor (which is reasonable, as we will most often be conjugating 
with P), and write P = 

We use C{d) for the space of linear operators of d dimensions, and U{d) C C{d) for the 
unitary operators of dimension d. Thus Vn C W(2"). 

A state p of dimension d refers to a positive semi-definite (and hence Hermitian) oper- 
ator in C{d) with Tr(p) = 1 ([18J, p. 101). 
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The notation S = {y/fhUi \ i = 1, ...,m} refers to the superoperator S that apphes Ui 
with probabihty Pi. That is, S{p) = J^^iPi^iP^l ■ 

Throughout, n will refer to the number of qubits, d to the dimension of a space, m to 
the number of operators. 

1.3 Quantum State Randomization 

Secret communication of a quantum state can be achieved easily using teleportation if the 
communicating parties have the resource of shared entanglement (or are able to establish 
it). We consider the case where they have access only to the weaker resource of shared 
classical randomness, and are interested in minimizing the amount needed. 

Suppose that two parties, Alice and Bob, share a secret key k e {1, m}, and wish to 
securely send a quantum state p from Alice to Bob. One strategy that they can use is to 
use their key to select a unitary operation Uk- Then Alice can encode p by applying Uk to 
obtain UkpUl, and send it to Bob. As Bob knows k, he can recover the original state p by 
applying Ul- Suppose now that a third party. Eve, wishes to obtain p. If her knowledge 
of k is represented as a random variable X with Pr [X = x] = Px, from her perspective the 
state being sent from Alice to Bob is 

N 

S{p) = J2pxUxpUl 

x=l 

In order for this to be secure, we need to require that for all states p that Alice and Bob 
might wish to communicate, the resultant states S{p) are indistinguishable. In general, 
Alice and Bob may use a more complicated encoding procedure, potentially using ancilla 
states or non-unitary operations. Ambainis, Mosca, Tapp and de Wolf [1] introduced the 
following definition. 

Definition 1.3.1. Let S C 7-^2" be a set of ra-qubit states, I > n, pa an (/ — n)-qubit 
density matrix (ancilla state), and po a Z-qubit density matrix (target state). Let S = 
{y/PiUi : 1 < < be a superoperator; each Ui is a unitary mapping on 7^2', and it is 
applied with probability Pi. That is 

m 

£{^) = ^PiU,{^®Pa)Ul 
i=l 

Then [S,£, pa-, Pq\ is called a Private Quantum Channel or PQC if and only if for each 

e 5 



4 



Approximate Randomization of Quantum States 



li I = n (i.e. no ancilla), we call S length preserving and we omit pa- 

Ambainis et ai, and independently Boykin and Roychowdhury [8], showed that 2n 
classical bits are sufficient to randomize n qubits in this fashion by using a "quantum one- 
time pad" . Further, it is shown by Boykin and Roychowdhury that 2n bits are necessary for 
schemes without ancillae, and the more general result including ancillae is demonstrated in 
[1] . Their result was generalized to more general types of channels by Nayak and Sen [17j , 
and Jain [13] has considered related communication regimes involving a variety of quantum 
and classical communication. These results are presented in more detail in Chapter [2l 

1.4 Approximate State Randomization 

Hayden et al. [12] demonstrated that by relaxing the security condition of Definition 11.3. 
a quadratically smaller number of operators is necessary (approximately d rather than 
to e-randomize a space of dimension d). The particular relaxation they introduce is the 
following. 

Definition 1.4.1. Let S C 7^2" be a set of pure ra-qubit states, m > n, pa an (m — n)- 
qubit density matrix (ancilla state), and po a m-qubit density matrix (target state). Let 
^ = {y/PiUi '■ I < i < be a superoperator where each Ui is a unitary mapping on 7-^2™ • 
[S,£,pa,Po] is called a e-Private Quantum Channel or e-PQC if and only if for each 

II ^^(V^® Pa) -Polltr < e. 

where || ■ ||^j. is the trace norm (see Section PV.2.3p . 

For simplicity, we will in general take m = n, and thus omit pa- We note that in 
the case of perfect encryption, the addition of an ancilla does not decrease the required 
amount of randomness [HIIT], and that none of the upper bounds known for approximate 
randomization make use of any ancilla. We will also assume for the remainder of this 
thesis that po = 1/2", the totally mixed state on n qubits (this is in fact necessary when 
one considers arbitrary quantum states of a fixed dimension, see Section [271]) . Throughout 
this work, we are interested primarily in the number of different operators one must have 
available, and as such, it will almost always be the case that we consider the uniform 
distribution over the possible keys k. Thus in general, we will have a set 5 = {Uk '■ k = 
1, |iS|} and 
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Then our requirement for £ to be e-randomizing is that for each 



Sip) 



< 



tr 



We will use equation (11.11) as the definition for e-randomizing maps. 

Although the definition of e-randomizing maps allows for mixed states to be sent, it 
is important to note that security depends crucially on an adversary not possessing a 
purification of the state as the following shows. 

Let $ = X]j=i \j) \j) be a maximally entangled bipartite state of dimension d. Let 
S = {Uj,pj}'jLi be a set of unitary operators of dimension d with corresponding prob- 
abilities, and £^ be a superoperator on the first part with S{p) = Yl^=iPj^jP^j ■ Then 
{S (g) I)($) has rank at most m, and hence 



(^®I)($) 



I 

rf2 



< 2(1 -m/d^ 



tr 



and for m G o((i^), this tends towards 2 as the dimension grows large (two states are 
orthogonal, and thus perfectly distinguishable if they have trace distance 2). 



1.5 One Qubit Example 

With 2 bits of key, we can completely randomize a single qubit by applying one of the 
four 1-qubit Pauli operators with equal probability. The demonstration is straightforward. 
Any density matrix p can be written as 

p = i+-(x.y,z) (1.2) 

for some m G R^, < 1 ([IB], p. 105). Further, using the commutation relations for Pauli 
operators (Section lA.l.ll) . for any P G {I, X, Y, Z}, 

-(IPI + XPX + YPY + ZPZ) = \^ if^ = I 
4 otherwise. 
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Thus by linearity and taking u 



[Ui,U2,U3} 



1 



I + u-{X,Y, Z) 



P 



PeVi 



What if instead of allowing four unitary operators, we allow a uniform selection among 
only three unitary operators, Ui, U2, U-^l 

By the unitary invariance of the trace norm (Lemma pi55l). we can multiply 

each of the Ui by f/| and thus determine that without loss of generality, we can take 
Ui = I. As quantum states are equivalent up to global phase, we then consider the effect 



of applying the randomizing operator S 



3 ' 



WA to 



an eigenvector of 



1/2- Clearly both I and U2 will have no effect on (and for this reason, there are no 
interesting schemes with only two unitaries) so we will be left with 



£(\m\) 



Writing p 



S{\4'){4'\), by the triangle inequality, we have 
I 



> 



tr 



and the left hand side of fll.3p is equal to 1. 

1 
3 
2 

< -. 

- 3 

Putting (I1.3P and (II ■4p together, we have 



I 



-Plltr + 



3 ^ 



1.3) 



tr 



Ul 



;i-4) 



tr 



1 

> -. 

- 3 



Thus we see that for 3 operators, we cannot do better than ^-randomizing of a qubit. We 
can achieve the ^ bound simply by taking any three Pauli operators, for example I, X, Z. 
Figure [TTT] gives a geometric representation on the Bloch sphere of this scheme. 
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The original state Rotation about the Z axis Rotation about the X axis Partially Randomized State 

created by averaging I, X, Z 
rotations 



Figure 1.1: Randomizing a single qubit using {I,X, Z}. Ai^er the randomizing operation, 
the state vector is contracted toward the totally mixed state. 



To prove that it is (|) -randomizing, take an arbitrary density matrix as in (11. 2p and 
apply £. 

8{p) = l{I + uiX + U2Y + U2Z) + l(I + uiX -U2Y -U2Z) + l{I-uiX -U2Y + U2Z) 
bob 



^- + ^X-^Y 
2 6 6 



^^3 



then we have 



tr 



6 



UiX — U2Y + u^Z 



tr 



(1.5) 



As {uiX — U2Y + u^Z) has eigenvalues ij-ul and \u\ < 1, (11.51) gives us 



Si, -I 



1 

< -. 

- 3 



Thus the randomization scheme consisting of applying one of {I, X, Z} with equal proba- 
bility is optimal for 1-qubit schemes using exactly 3 operators. 

Geometrically, we can easily visualize the one-qubit case. The image S{p) is obtained 
by adding the vectors piUipU}. Then the trace norm || S{p) — | ||^^ is the maximum over 
states p of the length of the vector £[p) in the Bloch sphere. 



1.6 Results 



We have shown two upper bounds for the amount of randomness required for e-randomizing 
maps in the trace norm. 
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In Chapter [3] we show by a probabihstic argument similar to that of Hayden et al. [12] 
that a sufficiently large random set of Pauli operators is e-randomizing with high proba- 
bility. 

Theorem 1.6.1. For every d, and e > 0, a sequence of ^log (^) d-dimensional unitary 
operators selected at random according to the Haar measure is e-randomizing with proba- 
bility at least 1 — e"*^/^. Thus log((i) + 0(log(l/e)) bits of key suffice to randomize arbitrary 
d dimensional states. Furthermore, for = 2", the unitaries may be selected uniformly at 
random from V{n). 

In Chapter H] we provide the best known explicit construction (Theorem 11.6.21) based 
on the work of Ambainis and Smith |5]. 

Theorem 1.6.2. There exists an efficiently constructible e-randomizing map on n qubits, 
and requiring 2^/e^ operators, or alternatively, n + log(l/e^) bits of key. 

Lower bounds. Chapter [5], have proven more difficult to establish. We have shown the 
following weak lower bound on the class of length-preserving e-randomizing channels that 
use only Pauli operators. 

Theorem 1.6.3. Let S C {0, l}" x {0, 1}" be a set of binary strings (a, 6), such that the 
map 

' ' {a,b)eS 

is e-randomizing. Then S is an e-biased space, and thus 

Our bound introduces a dependence on e, and is better than the naive bound for 
2^" < e < 2^"/^, where the bound becomes Vt (^). 

We have also done work on establishing a tighter lower bound by finding additional 
conditions that e-randomizing maps must satisfy. In particular, we show the following 
theorem specifying the action of e-randomizing maps on stabilizer states. 

Theorem 1.6.4. For every stabilizer group G = {gi, ...,gn), let G be the matrix with rows 
gi, gn- Let S C {0, 1}" x {0, 1}" be a set of binary strings (a, b) such that 
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is e-randomizing. Let G{S) be the distribution on {0, 1}" with p{k) = \G '^{k)\/\S\, where 
G^^{k) is the pre-image of k. Then G{S) must be at most e-away from uniform. 

In other words, in order for a set S to be e-randomizing, for every stabihzer state, the 
image of the hnear transformation given by its generator matrix G apphed to S must be 
nearly uniform. This condition is the strongest one that we have discovered, and imphes 
the weak lower bound of Theorem 11.6.31 



1.7 Related Work 



A 



map is said to be e-randomizing in the 2-norm if for every state 



d 



< 



Vd' 



Kerenidis and Nagaj [H] studied maps that act independently on each qubit, and found the 
minimal amount of entropy required to create independently acting e-randomizing maps 
in the 2-norm for each positive e. They determine the optimal approximate encryption 
schemes for 1 qubit with any given entropy and also show that the constructions of e- 
randomizing maps based on small-biased spaces of [5| do not work in the oo-norm. 

Christoph Dankert's thesis P on approximate 2-designs and mutually unbiased bases is 
related to this work. In his terminology, an e-randomizing map is an approximate 1-design 
for quantum states. This view may give some intuition into how to improve lower bounds. 

Dealing as it does with quantum state randomization, there are obvious parallels to be 
drawn with cryptography, both classical and quantum, and also on the precise nature of 
the relationship between quantum and classical information. 



Chapter 2 

Private Quantum Channels 



2.1 Quantum Secrecy 

Suppose we have two parties, Alice and Bob, sharing some key in a set {1, ...,m} with 
respective probabihties pk for the z'th key, and Ahce wishes to send some state p from a 
set S to Bob securely. A general encryption procedure would be for Alice to append to p 
some ancilla qubits in some state pa, which may depend upon the key k, and then perform 
some unitary operation Uk depending on the key k on the combined state p® pa [H]- She 
would then send the state she has created to Bob, who, knowing k would perform Ul and 
remove the ancilla to recover the state p. 

From the perspective of Eve who does not know fc, the state being sent will be a 
probability distribution over the possible ciphertexts: 

m 

Sip® Pa) = ^PiUi{p® Pa)U}. 
i=l 

In order for this procedure to be information-theoretically secure, an eavesdropper who 
obtains the encrypted state but knows only the distribution from which k is taken should 
not be able to gain any information about the state p. In other words, for any two states 
Pi,P2 £ the encrypted states S{pi ® pa) and £{p2 ® Pa) must be indistinguishable by 
any process; their density matrix representations must be equal ([TS], Section 9.2). We will 
write £{p) = Pq. 

Recall the definition of PQCs, Definition 11.3.11 (pl3]). Observe that if a scheme works 
for some set of states S, by linearity it will also work for convex combinations of those 
states, and hence if we have a PQC on pure states, it will also work for mixed states. As 
we will generally be interested in the case S = 7^2", this means that the totally mixed 
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state is a valid message, and it is clear that for any length preserving S, we must have 

n - I 
PO — 2^- 

Also note that although Eve cannot gain any information about the state that was sent 
via a PQC, she can still destroy it by measuring (or simply not transmitting it). This 
is equivalent to classically jamming a channel, and cannot be avoided (though it can be 
detected [B]). 

2.2 Classical One-Time Pad 

The classical one-time pad or Vernam cipher is well-known to provide perfect encryption 
for classical messages. To encrypt a message M, one first compresses it to its entropy 
n, and then uses a key k of the same length. The cipher text is obtained by taking the 
exclusive-or of the compressed message M' and k. If k is uniformly distributed, so is 
M' © k. To recover M', one takes the exclusive-or of the cipher text and the key to obtain 
(M' (B k) (B k = M' (B {k (B k) = M', and then reverse the compression procedure. It is 
also known [15] that this result is optimal for classical communication. In order to obtain 
a uniformly distributed cipher text, one must use at least n random bits (skipping the 
compression step simply means that more key will be used). It is noteworthy that this 
result does not translate directly to the quantum world; with a quantum channel and 2-way 
classical communication, one can perform a quantum key distribution (or more accurately, 
key-growing) protocol such as BB84 [7J using much less shared key, and then use the output 
of such a protocol to encrypt the original message. 

2.3 Quantum One-Time Pad 

One can generalize the classical one-time pad to the quantum world in the following manner 
([1], [H])- Instead of randomly flipping the bit value as in the classical case, one applies a 
random Pauli operator to each qubit. We have shown the one qubit case in Section 11.51 
Generalizing to multiple qubits is straightforward. We make use of the following technical 
lemma (|1], Lemma 4.4). 

Lemma 2.3.1 (^J, Lemma 4.4). Suppose that S{\(j)){(j)\ ®Pa) = Po whenever |0) is a tensor 
product of n qubits. Then £{\x){y\ ® pa) = whenever x and y are different n-bit strings. 

Theorem 2.3.2. [7^2-, ^n, 1/2"] is a PQC. 

Proof. The proof is by induction. We first observe that the claim is true for n = 1 (as 
shown in Section [T751) . We refer to the one-qubit scheme as S'. Then we claim that if S is 
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a PQC for 7^2^-1 ? then S ^ S' is a PQC for 7-^2'= • Consider an arbitrary pure state 

10)= (^xy\x)®\y). 
a;G{0,l}'=,J/e{0,l} 

Applying S ® S' to |0) yields 

{S®S')m<j>\) = {S0S')l Yl a.yal,y,\x){x'\®\y){y' 

\x, x'£{0, 1}'', y,y '£{0,1} 

= Y Oixy(yl,y,S{\x){x'\)^£\\y){y'\) 

x,x',y,y' 

= E cxxya:y£{\x){x\)0£{\y){y\) (2.1) 

El ,912^^-'- -^2 

x,y 

_ 

~ 2^ 

where (12.11) follows by Lemma 12.3.11 By convexity, S ^ S' is also a randomizing map for 
any mixed states. □ 

Ambainis et al. [1] prove a slightly more general version that also demonstrates that in 
fact the concatenation of arbitrary PQCs is a PQC. As choosing a Pauli operator takes 
2 bits, this scheme requires 2n bits of private key. 

It turns out that if we restrict to sending only qubits with only real amplitudes, for 
n = 1,2,3, n bits of randomness are sufficient to totally randomize any state, but this is 
equivalent to giving an adversary some information about each qubit. Similarly, there are 
PQCs for which po is not proportional to I, but these correspond to rather specialized sets 
of possible messages. For further details, see [1]. 

2.4 Lower Bound on Entropy of PQCs 

We have demonstrated that 2n bits of entropy is sufficient to securely send any ra-qubit 
state, and in this section we show that in fact this is the minimum amount of entropy 
needed to encrypt arbitrary n-qubit states. This result was first shown by Boykin and 
Roychowdhury in ^ for PQCs without ancillae. The more general case allowing a fixed 
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ancilla was shown in by Ambainis, Mosca, Tapp and de Wolf, and extended to a key- 
dependent ancilla by Nayak and Sen [l7j. Jain [13] has shown several related bounds. 

Boykin and Roychowdhury [8] showed that a superoperator £ = {^/pkUk} that totally 
randomizes arbitrary ra-qubit messages without the use of an ancilla must have the property 
that {Uk} spans C{2"'), and since any spanning set for £(2") must have dimension at least 

QYQj- 2n is a lower bound on the number of necessary bits of key. The proof here is 
a simplified version due to Ambainis Mosca, Tapp and de Wolf [4], and uses the following 
theorem (^^, Theorem 8.2). 

Lemma 2.4.1. Suppose two operators £ = {^/PiUi\^i and £' = {y/qjUj}JLi (one of them 
possibly padded with operators) are such that for every state p, £{p) = £'{p)- Then 
there is some unitary A G C{m) such that 

m 

i=i 

Theorem 2.4.2. If [n2",£ = {^Ui : I < i < m},l2"] is a PQC then the Shannon 
entropy H{pi, ...,Pn) > 2n. 

Proof. Let £' = |-7=a^ : x G {0, 1, 2, 3}"| be the superoperator defined in Theorem l2.3.2[ 

let k = max{22", m}. Since £{p) = £'{p) = I2" for all states p, £ and £' are unitarily related 
as in Lemma [2.4.11 So, there is a A; x unitary matrix A such that VI < i < m we have 



ViUi 



5Z ^" 

xe{0,l,2,3}" 



(2.2) 



The set of 2" x 2" matrices forms a 2^" dimensional vector space with inner product 
(M, M') = Tr(M^M')/2", and induced norm II M II = ^J{M, M) (This is simply a re- 
normalization of the 2-norm, Section [A. 2. 11 p j49il . Note that || f/ || = 1 for unitary U and 
the set of all forms an orthonormal basis for this space (Lemma IA.1.51 p j47I) . so we 
have: 

1 



Pi 



)2n 



)2n 1"^" 



|2 < 2-2-. 



Thus we have m > 2 and H{pi, ...,Pm) > 2n. 



(2.3) 



□ 



In general, one might imagine that the use of an extra ancilla state (which Bob does not 
need to know the state of) in addition to classical randomness might reduce the amount 
of entropy needed, but as was shown in [1], this is not the case. Nayak and Sen showed 
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that the even in the most general setting in which the ancilla may depend on the key, the 
same lower bound holds pTj . 

The method used to prove this in [HllTj is to first show that any PQC on n qubits can be 
transformed into a PQC on the set of classical states of length 2n (i.e., {\j) \ j = 1, 2'^^}) 
and then prove a "quantum analog" of Shannon's Noiseless Coding Theorem [19], i.e., 
demonstrate that in order to privately send 2n classical bits via a PQC, one must use 2n 
bits of entropy. 

Transforming a PQC £^ on n qubits into a PQC S' on 2n bits is achieved by encoding 
pairs of bits as Bell states, and then randomizing one qubit of each using S. As randomizing 
half of a Bell pair leaves the whole pair in the totally mixed state this gives us a way to 
securely transmit 2n classical bits. 

Theorem 2.4.3. Let C2„ = {\j) \ j = 1, 2^"} be the set of classical messages on 2n bits. 
If [0.2"^, S, Pa, I2"] is a PQC with £ = {y/plUi | i = 1, m}, there exists £' = {^/PiU- 
l,...,m} such that [C2n,£', PaA2'^"] is a PQC. 



|00) + 111) 



We give a sketch of the proof, and refer the reader to [1] for details. For simplicity 
of notation, assume no ancilla is used. Its addition does not affect the proof in any way. 
Divide |j) into n pairs of qubits, {i,n + i), i = 1, n. Map each pair to a singlet state as 
follows 

|00) . 
|01) . 
|10) . 



V2 
|00) - 




|01) + |10) 


|oi)- 


|10) 



Note that applying a Pauli matrix to the first (or second) qubit of each of these states 
takes it to one of the others, and that applying a random Pauli chosen uniformly to the 
second qubit of any pair takes it to the totally mixed state ^- Define Ul = I2" ® Ui. Then 
S' maps each pair of qubits {i,n + i) to the totally mixed state (via a proof similar to that 
of , and hence £'i\j){j\) = for each |j) G C2n- 

As the states of C2n correspond to the possible 2r;,-bit strings, this shows that any 
PQC for arbitrary n-qubit states can be used to perfectly encrypt arbitrary 2n-bit classical 
messages. Shannon's Noiseless Coding Theorem [12] implies that in order to securely 
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classically communicate n bits of classical information, one must use a key of at least n 
bits of entropy. While the theorem does not carry directly into the world of quantum 
communication (and is violated in the case of 2-way communication), one can prove the 
following analogous statement [H |17] . 

Theorem 2.4.4. Suppose p is an n-qubit state, Uk is a unitary operator on d > 2" 
dimensions, and pk is a density operator of (i/2" dimensions (a key-dependent ancilla 
state). Let £ = {{y/PkUk, pk)}^_-^ be the superoperator that applies Uk to p pk with 
probability ^>fc. If [H2",S,Po] is a PQC, then 

H{pi, ...,prn) > 2n 

where H{pi, ...,Pm) is the Shannon entropy of the distribution of the p^s. 

Corollary 2.4.5. The quantum one-time pad of Theorem 12.3.21 is optimal. That is, any 
other PQC on n qubits uses at least 2n bits of entropy. 

We have a complete characterization of PQCs for ra-qubit systems. In fact the same re- 
sults generalize to d-dimensional systems by using the Heisenberg-Weyl operators (Section 
IA.1.3[) rather than Paulis. 



Chapter 3 



Probabilistic Constructions of 
Approximate Randomizing Maps 

3.1 Why Probabilistic Bounds? 

Given that we have exphcit constructions that match the best bounds we have obtained 
using probabihstic bounds, one might ask what the interest of these bounds is, especially 
for the case of random matrices selected according to the Haar measure, which are not effi- 
ciently constructible (they generally require an exponentially large amount of information 
to specify). They are interesting for two main reasons. The first is that they not only show 
the existence of randomization schemes, but also, by the addition of only a small amount 
of extra randomness can show that the overwhelming majority of sets of random operators 
are randomizing (or in the case of the trace norm, most sets of Pauli operators). The 
second point is that by developing these techniques, we exhibit tools that may be useful 
in other analyses. 

3.2 Infinity Norm 

Hayden et al. [1^ showed that by relaxing the security requirement on Private Quantum 
Channels by allowing a small amount of information to leak, that is, allowing messages 
to be encrypted to states that are "very close" rather than identical, one can reduce the 
amount of private random key needed to encrypt a quantum state by a factor of two. 

Recall the definition of e-PQCs noted in (11. ip on page [51 Observe that this definition 
is in the trace norm. Hayden et al. gave results in the infinity norm. In particular, they 
showed the following theorem. 
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Theorem 3.2.1. For every d, and e > 0, there is a set S* of m = ISAdlogd/e^ unitary 
operators of dimension d such that for every pure state \^p){^p\ 



We observe that the maps described in this way are in fact e-randomizing in the fol- 
lowing simple lemma. 

Lemma 3.2.2. Any completely positive trace-preserving (CPTP) map S : B{C^) B{C^) 
satisfying || £{\lp){lp\) — ^||^<e/(iis e-randomizing. 

Proof. This follows from the definitions of trace and infinity norms. On normal matrices, 
the former corresponds to the sum of the magnitudes of the eigenvalues, and the latter to 
the largest eigenvalue. Clearly if the largest eigenvalue is bounded by e/rf, then the sum of 
the magnitudes of the eigenvalues is bounded by e. For further discussion of norms, refer 
to Appendix IA.2[ □ 

The proof of Theorem 13.2.11 proceeds in several steps. The first step is to prove the 
following lemma of Hay den et al.. 

Lemma 3.2.3 ([12])- Let be a pure state, P a rankp orthogonal projector and let {Uj)JLi 
be a sequence of dimension d unitary operators selected independently and uniformly 
according to the Haar measure. Then there exists a constant C > (61n2)~^ such that 
for < e < 1 



This bounds the probability that for a fixed state (p, a sequence of m random unitary 
operators fails to randomize (p. This is done using a tail inequality known as Cramer's 
Theorem (see for example [ID])- As this lemma is not used in our argument, we omit the 
proof, and refer the interested reader to [12]. 

Next, the approximate randomizing property is extended to all states by showing that it 
suffices to randomize a suitable set of finitely many pure states through a net construction 
(Section 13.2. ip . This allows us to work with only a finite number of states. 

Finally, we apply a union bound to show that for such a random sequence of unitaries, 
the probability that every state in the finite set is randomized is non-zero. This then 
implies that there is a set of m unitaries that approximately randomizes every state. 




oo 



(3.1) 
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3.2.1 Discretization of State Space 

In order to show that we need only consider a finite number of states, we need to show that 
if two states \4>){(f)\ and {ipXipl are "close enough" together, then randomizing one implies 
that the other is also randomized. We must first show that there is in fact a finite set of 
states A4 such that every state is close to some element of Ai. 

Definition 3.2.4. For a metric space X with norm || ■ ||, a set Ai is called an e-net for X 
if for every element x G X there exists an element x ^ Ai such that 

II X — 5; II < e. 

We wish to show that there is a finite e-net for the set of pure states of dimension d 
under the trace norm. 

Lemma 3.2.5. For every positive integer d and < e < 1, there exists a set of pure state 
density matrices At = {ipi \ 1 < i < m} such that m < and for every pure state 

density matrix ip, there is some ip E Ai such that \\ip ~ (f H^^. < e. 

Proof. We give here a version of the proof from [12]. By Lemma [A. 2. 131 (p JMl) . to find an 
e-net of pure density matrices in the trace norm, it suffices to find an (e/2)-net Ai' of the 
set of unit vectors in C^, or equivalently M^'^, in the Euclidean norm. Let A4' = H'lpi) \ 1 < 
i < m} be a maximal set of unit vectors such that for any i,j, \ lipi) — {ipj) \ > e/2. Such 
a set exists by Zorn's Lemma, and is by definition an (e/2)-net for the unit ball in M^"^. 
We will bound m by a volume argument. Consider the (e/4)-balls around the points of A4 
as sets in M^''. The balls are pairwise disjoint, and are all contained in the ball of radius 
(1 + e/4) centred at the origin. Thus we have 

^ 7r^(e/4)'^ ^ 7r'^(l + e/4)2'^ 



T{d+1) - T{d+1] 

2d 

/ 4 + e \ 

m < 



< 



e 

2d 



□ 



3.2.2 Proof of Theorem [37231 



Proof. To show the result, we bound the probability that for a random sequence of uni- 
taries, some state is not adequately randomized. That is, for {Ui}, i = I, ...,m, a sequence 
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of d dimensional unitary operator-valued random variables selected according to the Haar 
measure, we bound 



Pr 



sup 

p 



^ m 

m ^-^ 



> 



d 



(3.2) 



By Definition IA.2.71 (pJ5Tl). equation fl3.2p can be rewritten as follows: 



Pr 



sup 



1 1 

j=i 



> 



d 



(3.3) 



where a and if can be taken to be pure by the convexity of | ■ |. Now, let Ai be an {e/2d)-net 
of pure states in the trace norm, and for a pure state r, let f denote an element of such 
that II r — f ||^.j. < e/2d. By Lemma [3.2.51 we can construct Ai such that |A^| < (^) . 
Now using the triangle inequality we write 



Pr 



sup 



e 

> - 
- d 



< Pr 



1 1 

m ^ 

sup sup — Tr ([/jcrt/jy)) — Ti{UjaU'^j(p) 



m ^ 

E- 



+ 



Tr(f/,a[/j^) - - 



d 



e 

> - 

- d 



(3.4) 



Applying the triangle inequality to the first term, we have 

Tr(f/,-af/j(^) - Tr(f/,-a?7j^) 

Tr (UjaU^jip^ - Tr (u.aUj'f^ + Tr (UjcrU]g>'^ - Tr (f/^af/j^ 
Tr {{u.aUj) (cp - ^)) | + |Tr {{uj^U,) {a - d 



< 



which, as the first term of each of the products in the trace are simply rank 1 projectors is 
bounded by 
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As o" — cr is either or rank 2, and Ai is an (e/2c?)-net we have 



^-^lloo+ 11'^-^ 



1 

ltr+ 2 



< -\\a - a IL + - \\V - V 



< 



So we can bound (13. 4p by 



Pr 



sup 

CT,ip 



2d' 



< Pr 



- V Tr {UiaU\ 

m 

^^pE- Tr(f/,-f/j^) - - 



> 



2d 



(3.5) 



Now we can replace the the optimization over pure states in (I3.5p by the maximum over 
Ai, and apply a union bound to obtain 



Pr 



max 



i=l 



e 

> — 
- 2d 



< iTWp max Pr 



if]Tr([/,a^t^)-i 
m ^-^ d 



< 



lOd 



Ad 



exp 



m 

i=l 

Cme^ 



> 



2d 



4 



If this probability is bounded away from 1, it means that there is a non-zero probability 
that every state is randomized by a random selection of m unitaries, and thus there exists 
a randomizing map using at most m operators. This last is bounded away from 1 for 



IQd /lOd 
m > 7717 In 



and for e > ^ this gives 



m > 



134rflnci 



For smaller e, we have m > d^, which is worse than the upper bound of achieved by 
using Pauli (or Heisenberg-Weyl) operators. □ 
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3.3 Trace Norm 



Inspired by the previous theorem, we were able to prove a more relevant result (in the 
sense that the trace norm is generally a more useful measure than the infinity norm), 
Theorem 11.6.11 (pEI), in the trace norm. 

Our proof is quite similar in structure to that used by Hayden et ai, but differs substan- 
tially in the details. We use McDiarmid's inequality [15] rather than Cramer's Theorem in 
the large deviation bound, and can use a coarser net (i.e., fewer states) due to working in 
the trace norm. Before proving Theorem II. 6. H we introduce McDiarmid's inequality. 

Proposition 3.3.1 (McDiarmid's Inequality [15]). Let Xi,X2, . . . be n independent 
random variables, with X^. taking values in a set for each k. Suppose that the measurable 
function / : ^1"^^ — M satisfies 



whenever the vectors x and x' differ only in the k-th coordinate. Let Y = /(Xi, X2, . . . , Xn) 
be the corresponding random variable. Then for any t > 0, 



Proof of Theorem \1.6.1\ Once again, we consider a sequence of m unitary operators {Ui\ 
chosen independently and uniformly according to the Haar measure on U{d) and the cor- 
responding randomizing map 



Fix a pure state ip G C{d). Our first step is to bound the expected distance of £{^) 
from the totally mixed state 1/d. Define the random variable Y^p as 



\f{x)-f{x')\ < c. 



Pr [Y - E(r) >t] < exp 





I 
d 



tr 



By Lemma IA.2.121 (p i53|l we have 



I 
d 



2 



(3.6) 
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Then by definition of tlie 2-norm (Definition IA.2.21 pH9 



I 



d 

Tr (^S{v) 
Tr Si^r - 
Tr £{cpr ■ 



^Tr^M + Trl 
1 

d' 



(3.7) 



Expanding S{ip), we get 



(3,i 



Here, we have used the fact that Tr(cr^) = 1 for any pure state density matrix cr. 

Recall that the unitaries are chosen randomly according to the Haar measure. Taking 
expectation over the random choice of unitaries, we get 



E|^j[Tr^(^)2] 



< — + EuTt (fU^U^ 
m 



(3.9) 



(3.10) 



where the unitary U has the same distribution as the Ui. For all pairs i ^ j-, the prod- 
uct UlUj has the same distribution, that of [/, since the underlying sample space U{d) is 
a group under matrix multiplication. 
Note that for a pure state ip = Iv^Xv^l, 

= E^\{ip\ip)f , where {ip) is uniformly distributed (3.11) 

= — . By symmetry (3.12) 
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Stringing equations (13.61 13.71 13.81 13.101 13.121) together, we get 

I 



d 



= VrfE(Tr^(v9)2--j 

< \fd f E[Tr — - j , By Jensen's inequality 



< 

m 



(3.13) 



We now note that the function f^iUi, U2, ■ ■ ■ , Um) defining the random variable has 
bounded difference. In other words, if we replace any one of the unitaries f/j by another 
unitary ?7j, the function value changes by a small amount. Denote the randomizing map 
given by the modified sequence 



(f/i, U2, . . . , Ui-i, Ui, f/j+i, . . . ,u„ 



by S. Then, we have 



^(t/i,f/2,...,t/„...,t/J-^(t/i,f/: 



25 • • • , Um 



(3.14) 



d 



tr 



tr 



< 



tr 



m 
2 

< — 



By the triangle inequality 



(3.15) 



The McDiarmid bound (Proposition 13.3.11 along with equation (13.151) ) immediately 
implies that for any fixed pure state 93 G C"', 



2~) ■ 



This implies, using our bound from equation (13.13^ on the expected value of F^, 

Ft[Y^ > 6 + y'd/m] < exp 



(3.16) 
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From Lemma [3.2.51 we know that every pure state ip E C is //-close in trace norm to a 

pure state if from a finite set Ad of size < f | j . By the triangle inequality, and the 

unitary invariance of the trace norm (Lemma IA.2.151 p l55l) . it is straighforward to show 
that lY"^ — F^l < T]. Therefore, if > e, then > e — t] for some (f E Ai. 

We can now bound the probability that the map R fails to randomize some pure state. 

7]] Prom the discussion above 

By the union bound 

^/d/m Y—^ By equation fl3.16p 



if rj is chosen to be at most e/3, and m at least 




Thus, the overwhelming majority of random sequences of m unitaries selected according 
to the Haar measure are randomizing to within e, with respect to the trace norm. 

□ 

3.3.1 Using Pauli Operators instead of the Haar Measure 

The only place we used information about the distribution of the operators chosen was in 
calculating (13. 9p . If instead of taking unitaries distributed according to the Haar measure, 
we instead select only among Pauli matrices, the same result holds. 
Let d = 2"^ for some integer m, and consider 

^ m 

m ^ — ^ 

i=l 

where the Pi are uniformly distributed Pauli matrices. Observe that the product of two 
uniformly distributed random Paulis is, up to sign, another uniformly distributed random 
Pauli. Thus we can say as before: 



Pr [3if ■.Y^>e] 

< Pi[3ip e M ■.Y^> e 

< \M\-Pr[Y^> e-ri] 

5^ 



< 



< 



2d 



V 

-d/2 



exp 



E|p^|[Tr Sivf] < - + Ep [Tr {^P^P^)] 
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and we have to calculate 



d2 



1=1 



rl ^ 



1=1 



Tr(P,y.) 



4~d 



1 



l|2 



(3.17) 



Where f l3.17p is because the set of Pauli matrices forms an orthogonal basis for for the 
space of unitary operators under the inner product 

(f/, V) = Tr(f/V) 
(Lemma IA.1.51 pHTj), and each unitary has norm 

\\U\\2 = Vd. 

Thus, when we are working with spaces of appropriate dimension we can choose the 
unitaries in Theorem 11.6.11 uniformly among the Pauli operators. This is important, as the 
Pauli operators are efficiently describable, and (presumably) relatively easily constructible. 
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Explicit Constructions of 
Approximate Randomizing Maps 

4.1 Previous Work 

In Chapter [3l we showed that there exist e-randomizing maps on n qubits that require at 
most n + 0(log(l/e)) bits of key. In this Chapter, we give explicit constructions of maps 
that meet this bound. 

The first explicit maps were exhibited by Ambainis and Smith [5], and make heavy use 
of the constructions of e-biased spaces of Alon et al. [3] and Alon, Bruck et al. [2]. For an 
introduction to e-biased spaces, see Appendix O In [5], Ambainis and Smith give three 
constructions of e-randomizing maps. The first uses n + 21ogn + 21og(l/e) + 0(1) bits of 
key, the second ?t, + 2 log(l/e) bits of key, plus 2n additional classical bits of communication, 
and the third n + min{2 logn + 2 log(l/e), logn + 3 log(l/e)} + 0(1) bits of key. The first 
two schemes use only Pauli operators for the maps, and the third uses Heisenberg-Weyl 
operators in d dimensions. All are constructible in polynomial time. 

Our contribution is an improvement over the schemes of [5]; we provide a scheme using 
n + 21og(l/e) + 0(1) bits of key, but without additional classical communication overhead. 
Our construction is based on one of the constructions of Alon, Goldreich, Haastad and 
Peralta [3] and a theorem of Ambainis and Smith connecting the existence of small bias 
spaces with e-randomizing maps. 

4.2 Construction of e- Randomizing Map 

Ambainis and Smith [5J prove the following theorem. 
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Theorem 4.2.1. Given a 5- biased space S C {0, 1}" x {0, 1}", the map 

' ' ia,b)eS 

is e-randomizing on n-qubit states for any e such that 

We include a version of their proof, as it is critical to our construction. 

Proof. Let S C {0, 1}^" be a 5-biased space. We interpret elements of <S as a concatenated 
pair of n-bit strings (a, b), and let 



Since we have 



2" 



2" 



and as S{p) is a density matrix, it is Hermitian and has trace 1, (S{p) — = — 
using linearity of trace we obtain 



= IY((£(p)f)-2 
= Tr(£(p^))-1, 



Tr(£(p)I) Tr(l2) 



+ 



22" 



(4.1) 



We evaluate Tt{S{p'^)) by expressing it in the Pauh basis. We can express p in the Pauli 
basis as 



u,v&{0,l}" 
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with au,v = Tr(Z^X"p), and obtain 
Tr(^(p)2) 



\ \ ' ' {a,b)es \ u,ve{o,i}'- J J 

yy ' «,-uG{0,l}" (a,6)e5 j j 



(4.2) 

(4.3) 
(4.4) 



(«,«)^(0,0) 



where (14.20 comes from the commutation relation between Pauh operators, (14. 3 p follows by 
the linearity of expectation, and Equation (14.41) is from (1A.2|) . pl50l Then as S is 5-biased, 
have have 

^(^(P)^) < ^ + ^(^'Tr(p^)) 
Setting b = and using (14.11) . as || p < 1, we have 



and by Equation flA.6p in Lemma IA.2.121 (p 



< 



< e. 



□ 



We can now use this construction to prove Theorem 11.6.21 (page IH]), i.e., that there 
exists an e-randomizing map using n + log(l/e^) bits of private key. 

Proof of Theorem \1.6.S[ Using the third e-biased space construction of Alon et al. [3] (Sec- 
tion [C]2]), with bias 5 = and rs = 2n, Proposition IC.2.11 gives us 
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substituting and taking logs, we obtain 

, . , n (In \ 

and by the monotonicity of log, 

r + logr < — + logn — loge + 1. (4.5) 

Setting 2r = n + log (^) , we have 



r + log r = 




Again, applying monotonicity of log, we have (14. 5 p holds for e > 2^"/^, and as we need 2r 
bits to specify a string in 5, we can use this many bits of key. 

For e < 2~"/^, we can simply use the Quantum One Time Pad (Theorem 12.3.21 p IT2|) . 

□ 

This scheme has several advantages. A circuit for implementing the scheme is also sim- 
ple, requiring only classical control and one-qubit Pauli gates. No communication outside 
the n-qubit message is necessary. From the length of the received message (n qubits), the 
recipient can in polynomial time deterministically obtain a primitive polynomial of degree 
r over GF{2) (using for example the results of Shoup [20]). As the process is deterministic, 
both the sender and the receiver will arrive at the same representation of GF{2^). Given a 
particular representation, computing the key requires 2r multiplications in the field, each 
taking O(r^) bit operations, and 2r binary inner products, each costing 0{r) bit opera- 
tions. Thus one can compute the key to use in 0{r^) < 0{n^) bit operations. While this 
is larger than we might like, it is not too unwieldy. As such, this scheme seems to be quite 
practical and suitable for real use, should the need arise. 

As shown by Kerenidis and Nagaj [I^ , Theorem 14.2.11 does not hold in the oo-norm. 
The probabilistic results of Hayden et al. [12] remain the best known in the oo-norm. 



Chapter 5 
Lower Bounds 



We have done work towards finding a tight lower bound for the amount of classical entropy 
needed to e-randomize an arbitrary quantum state, and have shown several results. Prior 
to this work, the best bound known to the author was logrf — 0(1) bits of randomness 
required to randomize quantum states of dimension d (we give a proof in Section [5?T1) . This 
is very unsatisfactory, as we know that for e = 0, 2 \ogd bits are necessary, while for e > 0, 
log(i + 0(log(l/e)) are known to be sufficient. Thus the independence of the known bound 
from e is troubling. 

For the purposes of this chapter, we consider e-randomizing maps on pure states of n 
qubits (i.e., d = 2") with the property 

where each U G iS is a tensor product of single qubit Pauli operators. We have demon- 
strated (Sections 15. 2[ 15.31) a weak lower bound on |iS| that is dependent on e in the trace 
norm. Our bound is of the form |iS| > fl (^). This is stronger than the naive bound for 
e < 2~"/^, but is clearly not tight. We have also developed conditions that the set S of 
operators must satisfy that we hope can be used to prove a stronger lower bound. 

We conjecture that the upper bounds established by our protocol (Theorem II. 6. 2[ pj8]) 
are in fact tight. 

Conjecture 5.0.2. Let {Ui, Um} be a set of unitary operators and £{p) = ^ Ylf=i ^jP^j 
Then if £ is e-randomizing on C^, m> d/e'^ for some constant c. 
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5.1 Naive Lower Bound 



The following bound on the minimum number of unitary operators needed for an e- 
randomizing map employs a simple rank argument. It shows that for an n-qubit state, 
at least n — o{l) bits of key are required. 

Theorem 5.1.1. Let S : C{d) C{d) be an e-randomizing map such that there exists a 
sequence of unitary operators {f/j }j=i_...^m with S{p) = ^ Yl^=i ^jP^j y then m > d{l—e/2). 

Proof. Note that S{p) is a normal operator and thus there exists some unitary Vp such that 
VpS{p)V^ is diagonal, and as the trace norm is unitarily invariant (Lemma IA.2.15t p J55l) 



d 



tr 



tr 



Then, as £{p) has rank at most m, and as £ is e-randomizing 



21- 



d 



< 



m > (1 - f ) . 



< e 



□ 



5.2 Weak Lower Bound in Trace Norm 

We wish to demonstrate a lower bound on the number of operators needed to e-randomize 
an arbitrary quantum state. To begin with, we consider a restricted class of randomizing 
operators: those formed by taking only Pauli operators on n qubits. In this section, we 
prove Theorem 11.6.31 plH connecting the existence of approximately randomizing sets with 
the existence of small-bias spaces. 

Note first that in order to randomize all states, £ must clearly randomize the Pauli 
eigenvectors. We will develop our bound by considering the results of £ on these states. 

For an n-bit string c, define \c){c\ = <S)l=i |ci)(cj|. Consider the action of £ on the state 
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|0)(0|®". We have 



J2 X''Z''\0){0\^'' Z^X" 

' ' {a,b)eS 

n 

' ' (a,fe)e-s i=i 
1 " 



{a,fe)G-S j=l 



15 



(a,fe)e5 



By replacing the initial state |0)(0| with \x){x\ for some n-bit string x, the final equation 
becomes 



(5.1) 



(a,fe)e5 



and as (15.11) is diagonal, with x corresponding to a re-ordering of the rows, we have 



This demonstrates that it is not important which particular string we start with, only that 
it is in the same basis. If instead of considering the Z eigenvectors, we consider X and Y , 
we obtain very similar results. 



1 ^ X"Z^|+)(+|®"Z''X'^ 

' ' (a,fe)65 

1_ Z^\+){+f''Z^ 
' ' {a,fe)e5 

n 

Ts\ E (8)l(-i)'0((-i)'^l 



{a,fe)e5 i=i 



1 ^ H^n^^^^^^^n 



{a,b)€S 
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and 



{a,b)£S 



1 " 

= ^ E (8)l(-i)"^®'^^X(-i)"^ 



ia,b)eS j=l 
' ' {a,b)eS 



\a®b){a®b\{HPY 



where P 



1 



and the same remark we made with respect to changing to 1 



holds mutatis mutandis for {+,— } and {+z, — z}. As we have seen above, the "sign" on 
each qubit is immaterial and we need only concern ourselves with the basis ({0, 1} = Z, 
{+, —} = X or —i} = Y) that each qubit is drawn from. We formalize this notion 
here. 

A single Pauli eigenvector on n qubits defines an orthonormal basis for the space of 
states on n qubits as follows. 

Lemma 5.2.1. Given a Pauli eigenvector of dimension 2", there is an orthogonal basis of 
Pauli eigenvectors for including that eigenvector. 

Proof. Let w = wi,W2,...,Wn, and V 



Wi e {0, 1}. Define \w.^ V){w, V\ = <S)%i 5+^^ 



Vi (g) ... (g) Vn where each Vi G {X,Y,Z} and 
a tensor product of Pauli eigenvectors). 
For each c c' E {0, 1}", observe that |c, V){c, V\ and |c', V){(^, V\ are orthogonal (as the 
inner product commutes with the tensor product), and that as there are 2"' such states, they 
form a basis for C^". Thus the string V can be taken to define a basis in this manner. □ 



These bases form equivalence classes of Pauli eigenvectors, \w,V) 
pair of strings b and b' and as we have seen above 



\w',V) for every 



S{\w,V){w,V\) 



I 

2" 



S{\w',V){w',V\) 



I 

2" 



(5.2) 



tr 



As these operators are all diagonal, we can make the following simplification. For any 
V e {AT, F, Z}®" define ay : S ^ {0, 1}" as follows: 



av{{a,b))j 



% © bj 



z 

X 
Y 
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Now for any Pauli eigenstate \w, V), we can write X°'Z'^ \w, V) = |(Ty((a, b)) © w, V), and 
using (15.21) ■ we have 



£{\w,V){w,V\)- 



I 



tr 



J2 Wv{{a,b))®w,V){av{{a,b))®w,V\ 



I 



tr 



^ J2 Wv{M),V){ay{{a,b)),V\-^ 



(a,6)65 



tr 



as each of these is diagonal in the V basis, this is the same as taking the variation distance 
from the uniform distribution: 



fce{o,i}'' 



\s\ 



1 

2" 



where (Ty^(fc) is the preimage oi k E {0,1}". Then the e-randomizing condition is a 
requirement that the distribution (Jv{S) is "nearly uniform" for every basis V. More 
precisely, define the distribution Dy on {0,1}" as -Dy(x) = -j^ For £ to be 

e-randomizing, it is necessary that 



max 

V 



E 

a;G{0,l}" 



Dv{x) - 



< e. 



In fact, the following lemma shows that we can take the maximum over all strings, 
rather than just valid bases. This requires that we generalize the definition Dy- 

Lemma 5.2.2. Let 5 be a set of strings such that S is e-randomizing on all n-qubit Pauli 
eigenstates. For every string W G {00, 01, 10, 11}", let kw be the number of times that 00 
occurs in W. Then 



max 
w 



xe{o,i}' 



Dw(x) 



2n—kw 



< e. 



Proof. This follows as Dw is simply a marginal distribution of some Dy, where V is as 
above. 

□ 
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Each W can be taken as a characteristic vector selecting a subset of bit positions from 
1, ...,2n in S, where the jth bit position is selected by W if Wj = 1. Each Dy is e-away 
from independence, thus as discussed in section IC.lt for any subset of the random variables 
consisting of the bit positions of S, the XOR of those bit positions has bias at most e, and 
thus S is e-biased. Then by Theorem IC.3.11 (pj671). \S\ > Q (^ e2iog(i/e) ) > which establishes 
Theorem 11.6.31 

While this result is not tight, and in fact for e > 2^"/^ is weaker than the naive bound, 
it is interesting in that it does depend on e, and it is the best known lower bound for 

2"" < e < 2""/2^ 



5.3 An Alternative Proof 



Subsequent to finding the previous result, we examined the effect of applying S to other 
types of states in the hopes of finding more conditions on S. By considering so called "cat" 
states rather than tensors of Pauli eigenvectors, we developed the following alternative proof 
of Theorem ll.6.3[ 

In general, a cat state is a pure quantum state |0) such that if any subsystem is traced 
out one is left with a random choice of two orthogonal states. For our purposes, we will 
consider only those cat states of the form -^\'^) + where \ip) is a Pauli eigenvector 
\w, V), and |<^) is \w, V), where W is the complement of w. 

Similarly to the previous proof, we can consider the result of an e-randomizing map on 
a cat state. First, consider |0) = -^(|0") + |1")). Applying X"-Z^ to |0) yields the state 



-^(|a) + (-1)1^1 |a)). 

where |6| is the Hamming weight, or number of Is in b. 

If a set of strings S is to have the e-randomizing property, then we must have 



(5.3) 



1 

W\ 



J2 x^z^ 

{a,b)eS 



I 



< 



tr 



As i forms a basis for state space, this means that we must have that 

Bias(|6|) < e. To justify this claim, observe that if Bias|6| > e, with say, Pr = mod 2] = 
p > iy^, then the projection onto the subspace spanned by the "plus" states will have prob- 
ability p, and onto the minus states 1 — p, and the bias of this variable will be at least 
e. 
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In fact, we get the same result if instead of using 0" and 1", we use an arbitrary 
{0, 1} string w and its complement w, the result is :^(|ct (B w) + (—1)'^' \a © w)). So, as 
previously, we ignore the exact state, and consider only the basis it is chosen from. That 
is, instead of choosing w G {0,1}", we choose it in {X,Y, Z}"'. Thus our example state, 
and the restriction on Bias(|6|), was the result of choosing w = Z". If we choose the 
string w = X", we similarly observe that Bias(a) < e by conjugating with Hadamards, 
and invoking the unitary invariance of the trace norm (Lemma IA.2.15[ p iS^ and similarly 
Bias(|a © b\) is bounded by considering w = ¥"■. As before, we can extend w to include I. 
Having an I in the jth position of w means that we do not test the value of either aj or bj. 
It corresponds to randomizing a state that has the jth qubit in the totally mixed state. 

To prove the result, we must show that for any subset of the bits of {a,b), ie, for any 
W C [2n], the bias oi W in S is at most e. We identify X = 10, F = 11, Z = 01, 
and I = 00, and then for each possible W, we can construct an appropriate state w, and 
claim that if S is e-randomizing, the subset of bit positions corresponding to W must be 
unbiased, and thus the result follows. 

This proof demonstrates an interesting point, while for example in considering the state 
fl5.3p we only focus on the bias the bits of b, we completely ignore the stronger condition 
that the strings a must be nearly independent. In developing stronger bounds, this may 
be of interest. 

5.4 Conditions For e- Randomizing Maps 

By examining the action of S on certain classes of states, we can discover conditions on 
the maps in S that may eventually lead to a tigher lower bound. 

5.4.1 Subspace States 

We consider the results of applying Pauli maps to uniform superpositions over linear sub- 
spaces of ^2 . These spaces correspond to codewords for linear codes and this proof requires 
some familiarity with the same. For an introduction to the subject covering all the required 
material, see |18j . 




Let {wi, ...,Wk} be linearly independent vectors in Let W = spa.n{wi, ...,Wk} over 
Z2. Then a uniform superposition over W, which we represent \W) is 




\W) 
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Also define W to be the dual space of W, that is, 



W 



■± 



{v \ w ■ V = Ww G W}. 



If W is the linear operator with rows Wi, ...,Wk, then we have W is the kernel of the linear 
map W, and hence dim(iy) + dim(W^-'-) = n, and thus we can find linearly independent 
Wk+i, ■■■,Wn such that W-^ = span{wk+i, w„}. 

Lemma 5.4.1. Let X^-Z^ be a Pauli operator. Then 



Proof. If a e W, then applying X" to \W) will simply permute the elements of W. If 
a ^W, then for each w eW, a(Bw ^W, and hence the inner product will have disjoint 
elements on the left and right, and thus every pair will annihilate. For Z^, we have 



Thus, if 6 G W-^, Z'' \ W) = \W). However, if & ^ W-^, then there is some basis of W 
{vi,...,Vk} such that b ■ Vi = 1 and b ■ Vj = for each j = 2,...,k. Thus by linearity, 
b ■ w = 1 for exactly half of the strings in W, and hence {W \ Z^ \ W) = 0. Finally, we 
observe that after applying Z^, if a ^ W, the signs on each element of the superposition 
are irrelevant, and that if a G W, we simply change which elements have —1 factors, and 
not the sum. Thus {W\ X^Z^ = 1 if a G and & G M^^, and otherwise. □ 

This immediately yields the following corollary. 

Corollary 5.4.2. Given strings a,a',b,b' and \W) as above. 



and observe that X"-Z^ \ W) is constant on pairs of cosets, and orthogonal for different pairs 
of cosets. Further, as \Z2/W\ x IZ^/W^] — 2"~'^2*^, we have that these coset states form 
an orthogonal basis for the state space on n-qubits. 






1 a a + a' eW andb + b' eW 
otherwise. 



■± 



As W and W-^ are normal subgroups of Zg, we can define the coset map 

{a,b) ^ {a + W,b + W^), 
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We can use the fact that is a hnear subspace to find exphcit coset representatives by 
exploiting the parity check matrix for W. Let H be the matrix with rows Wk+i, ■■■,Wn, that 
is, the basis vectors of W-^. Clearly Hw = for every w G W. H is called the parity check 
matrix for the code W. Furthermore, is the generator matrix for the dual subspace, 
W-^. Similarly, G, the matrix with columns Wi, ...Wk is the generator matrix for W, and 

the parity check matrix for W-^. Thus the map 

(a, 6) ^ {Ha,G^b) 

gives us an explicit representative for the basis element given by X'^Z* \ We will write 
a and b for the cosets of a and b respectively, and denote basis elements by 



Now, we can consider the result of applying S to \W). 

£(\W){W\) = Yl X''Z''\W){W\Z^X^ 

,■4- XI l^'^X^'^ 



{a,fe)e5 



d,b) at most 



This now tells us that in order for £ to be e-randomizing, we must have 

e-away from independent for every linear subspace W. This is a different condition from 
those established earlier, as it tells us about the action of £^ on a different class of states 
(this class includes CSS code states). 



5.4.2 Stabilizer States 

We can generalize the results of the previous section from subspace states to general stabi- 
lizer states. Stabilizer states are a large and important class of quantum states in quantum 
computation introduced by Gottesman [TT]. For an introduction, see either Daniel Gottes- 
man's PhD thesis ^Jj or Chapter 10.5 of [18]. We include all the relevant results and 
definitions in Appendix [Bl 

Let \ip) be a stabilizer state, with Stabd?/^)) = G = {gi, .■.,gn)- Then G <Vn (here, Vn 
is the set of n-fold tensors of Pauli operators, see Section lA.l.ll pJlSl). and every element 
P E Vn either commutes with every element of G, or there is some set of generators gi, ...,gj 
such that only gi doesn't commute with P (Lemma IB. 1.5[ p JSHl) . 
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Consider a stabilizer state {ip) with stabilizer group G = {gi, ...,gn)- Lemma FB. 1.6 1 and 
Corollary IB. 1.71 (p J59l) tell us that acting on lip) with a Pauli P either fixes it, or takes it 
to an orthogonal state, in particular the one selected by negating all the Qi with which P 
anti-commutes. There are 2" such states, forming a basis for n-qubit state space. We need 
to determine the image of P\ip)- 

To do so, we must determine with which of the generators gi, ...,gn the operator P anti- 
commutes. By Lemma [A. 1.41 (p JlTl) . these are the generators whose binary representations 
as 2n bit strings have symplectic inner product 1 with the binary representation of P. 
If one tests whether P anticommutes with each gj, one can construct a binary vector 
\b) = {{P, gi) , {P, gn)), where the inner products are the symplectic inner product. 
Labeling basis states with the binary representations of the numbers 0, 2" — 1, we can 
tell what the image of each map will be. This condition can be rephrased in a way that is 
simpler to deal with. 

Lemma 5.4.3. Suppose G = {gi, ...,gn) is a stabilizer group, and lip) is the corresponding 
stabilizer state. Let G be the n x 2n binary matrix with rows given by gi, ...ign- Observe 
that G specifies a linear subspace (and also a linear map G : Zg" — >■ Z2). Let if be a 
generator matrix for the dual of the subspace specified by G (that is, the kernel of the map 
G). Then for a, 6 G {0, 1}", the image of X'^Z^ = \H{a, b)). 

Proof. For each generator gj = {s, t), where s are the first n bits, referring to the positions 
that X acts, and t the second n bits, referring to the positions that Z acts, let hj = [t, s). 
We claim that {hi, generates the kernel of the map G, and thus that the matrix H 
with rows hi is a generator matrix for the dual of the space G. To demonstrate this, we 
must show that the set {hi, ...,hn} is linearly independent, and that hj ■ gk = mod 2 for 
every j,k (that is, they are orthogonal). The first part follows as {gi,...,gn} are linearly 
independent, and we obtain the hj^s by reordering of columns of gj. The second condition 
holds as G is a stabilizer, and hence each of the symplectic inner products {gj,gk) = 0. 
With gj = {sj, tj), for each j,k we have 

= {9j,gk) 

■ tfc -|- tj • S]f 

= gj ■ hk 

which establishes the claim. Since the H constructed defines a linear map with kernel 
G, elements of distinct cosets of G have distinct images, and we can identify X"'Z'^ = 
\H{a,b)). □ 

To prove Theorem 11.6.41 (pE]), we need only use Lemma [5.4.31 and observe that every 
stabilizer can be taken as the dual of some other stabilizer. 
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Thus, we have estabhshed that for in order for the map S to be e-randomizing, the 
underlying set S must obey the condition that for every stabihzer generator matrix G, the 
distribution G{S) (see Theorem 11.6.41) must be at most e-away from uniform. Unfortu- 
nately, this does not mean that every matrix obeys this condition, as there are many linear 
subspaces of that do not correspond to valid stabilizer groups. Nevertheless, this last 
condition implies all our earlier ones, as the class of stabilizer states includes the Pauli 
eigenvectors, the cat states, and linear subspace states. 

We hope that this more general correspondence may be used in proving a lower bound. 
Possible avenues of attack could be to come up with an interpretation for other n x 2n 
binary matrices in terms of states, and apply a similar technique. Alternatively, perhaps 
one can argue based on some kind of permutation symmetry of the small bias spaces S. 



Chapter 6 

Conclusion and Future Research 



6.1 Conclusion 

We have studied approximately randomizing maps in the trace norm. In the area of upper 
bounds, we have demonstrated the best known upper bounds on e-randomizing maps, and 
also that most randomly selected sets of operators of this size are also e-randomizing. 

We have also established a lower bound that is dependent on e, but is not tight, and 
developed some techniques which may be useful in further work. 

6.2 Directions for Future Research and Open Prob- 
lems 

The most obvious open problem is that of establishing a tight lower bound for e-randomizing 
maps in the trace norm. We are continuing work in this direction. Further exploration 
along the lines of approximate designs [S] may be a fruitful approach. One can also rephrase 
these problems in terms of noisy channels. For example, if one models a (i-dimensional noisy 
channel using Kraus operators with the uniform distribution, what is the smallest number 
of Kraus operators that can prevent a transmission rate greater than /(e) for some function 
/. We have not examined this approach at all, and it is possible that a consideration of 
these problems in this alternative framework will yield some interesting results. 

Also open are the questions of developing explicit schemes in the cxD-norm, and of coming 
up with lower bounds valid in the cxD-norm. Kerenidis and Nagaj pL4j demonstrated that 
the explicit schemes of Ambainis and Smith [5] based on small-biased spaces are not valid 
in the cxo-norm, so the results of Hayden et al. [12] remain the best known. 
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Appendix A 

Mathematical Background 



This appendix presents some of the mathematical results and notation used elsewhere in 
this thesis. We assume a basic knowledge of linear algebra and the formalisms of quantum 
computation. For an introduction to the language and notation of quantum computation 
[18] is an excellent resource. 



A.l Pauli Group and Pauli Eigenvectors 
A. 1.1 Pauli Group 

The Pauli Group is of fundamental importance in Quantum Computation and possesses 
several interesting qualities which we make use of throughout this work. 

Definition A. 1.1. Let I, X, Z and Y represent the following matrices respectively: 

. Define Vx = {±1, ±il, ±X, ±iX, ±Y, ±iY, ±Z, ±iZ}. 



1 




1 




1 




-i 


1 




1 




-1 




i 



We call Vi the Pauh Group. 

Observe that Vi is a subgroup of W(2). Each element other than the identity has order 
2, and the following identities hold: 



xz 


= -zx 


Y 


= iXZ 


Tr(P) 


= 


p2 


= I 



for P = X,Y,Z 
VP G Vi. 
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Thus, ignoring phases, each non-identity Pauh anti-commutes with each of the other non- 
identity PauUs. The Pauh matrices are all unitary. Observe further that Vi forms a basis 
for C{2) that is orthonormal with the inner product {A, B) = ^A'^B. The Pauli operators 
correspond to rotations of 180° about the three axes of the Bloch sphere. 
Next we define a generalization of the Pauli operators to n-qubit systems. 

Definition A. 1.2. Let Vn be the set of all n-wise tensor products of Pauli matrices. The 
elements of Vn can thus be written as strings in {X, Y, Z, I}", again up to a possible phase 
of ±l,±i 

We let Xj e Vn be the operator consisting of an X acting on the jth qubit, and I on 
each other qubit. That is, 

Xj = I® ... (g) I® X (8)1(8) ... (g) I 

and define Yj and Zj similarly. Then Vn can be found as arbitrary products (including the 
empty product) of {Xj, Yj, .^j}j=i,...,n times the I. 

We will frequently refer to elements of Vn as Pauli operators or matrices. 

Let a be an n-bit string. Then for an operator P, we will say P° = I and = P and 
define 

n 

P" = (^P"^. 

Note that for any P G Vn, we have P = aX"-Z^ for some strings a, b and a e {1, —1, i, —i}. 
We will often ignore the initial phase factor (which is reasonable, as we will most often be 
conjugating with P), and write P = X'^Z^. 

For two non-identity, single qubit Pauli operators Mj,Nk with M,N G {X,Y,Z}, and 
j,k e {1, n}, they either commute or anti-commute according to the following relation. 

MjNk = {-l)^^-^^''^^^^'>'NkMj (A.l) 

Alternatively, one can phrase this in terms of the symplectic inner product. 

Definition A. 1.3. Given two vectors {a,b) and {c,d) in Zg, we define their symplectic 
inner product as 

{{a,b),{c,d)) — a-d + b-c mod 2 



where (•) is the standard dot product. 
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Lemma A. 1.4. Two Paulis X"'Z'',X'^Z'^ G Vn anti-commute if and only if the symplectic 
inner product ((a, 6), {c,d)) = 1. 

Proof. This follows from Equation (lA.ip . In particular, given the following map: 



I 


= X'Z' H 


00 


X 




10 


Y -- 


= iX^Z^ h- 


11 


Z 




01 



splitting each of the right-hand sides in two, we have that the symplectic inner product is 
if and only if the left-hand sides commute. Then for two elements of P„ represented by 
(a, b) and (c, d), they will commute if and only if they have anti-commuting elements in an 
even number of positions, that is, if 

((a,6),(c,rf)) = 0. 

□ 

One can apply an element P of Vn to a system of n-qubits by applying the Pauli 
operator in the jth position of the string representing P to the jth qubit of the system. 
For example, 

xzxY = (x®z®x®r)(|i) ® |i) ® |i) ® |i)) 
= (x|i))®(z|i))®(x|i))®(r|i)) 

= |0)®(-|1))® |0)®(-2|0)) 
= z|0100). 

Lemma A. 1.5. The elements of Vn form an orthogonal basis for the space of linear 
operators on 2" dimensions, £(2") under the inner product {P,Q) = Tr(P"''Q). 

Proof. Let A and B be two elements of Vn- Then 

Tt{A^B) = Ti (^^^A]B^ 

n 

i=i 
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as tensor products commute with trace. Then as Vi is an orthogonal set with each element 
having squared norm 2, we have 



Tt{A^B) 



2" if Aj = Bj for each j 
otherwise 



Thus Vn is orthonormal with normalization □ 



Note that the norm induced by this inner product is in fact the 2-norm (Section lA. 2. ip 



As Vn is a basis for £(2"), for any operator p we can write p as a sum of elements of V„ 
In particular, we have 



J2 4r Tr(^^XV)X'^Z^ 



A. 1.2 Pauli Eigenvectors 

Definition A. 1.6. We refer to the eigenvectors of Vn as Pauli eigenvectors. For Vi, they 
are |0), |1) (corresponding to the Z operator), |+) = ^(|0) + |1)), |-) = -^(lO) - |1)) 

(corresponding to X), = :^(|0) + i |1)), = :^(|0) — (corresponding to Y). 
Each of these may be written in density operator form as 

I+{-l)'"V 
2 

where w = 0, 1 and V G {X,Y,Z}. The eigenvectors of elements of Vn are simply the 
tensor products of the eigenvectors of the operators in the tensor product. For example, 
the eigenvectors of XX G V2 are {|+) |+) , |+) |— ) , |— ) |+) , |— ) |— )}. We will sometimes 
refer to the density matrix representations of these states as Pauli eigenvectors, and in that 
case, when lip) is an eigenvector of P, we will have 



Note that each non-identity element of P„ has exactly two eigenvalues, ±1, and can be 
written as the difference between the projectors onto each of its eigenspaces. In the case of 
Vi, this means that each non-identity operator is the difference between the density matrix 
representations of its eigenvectors. 

Lemma A. 1.7. For each operator P G Vn, the eigenvectors of P form an orthogonal basis 
for the space C^". 

Proof. This is obvious, as each P is unitary, and hence normal. Thus unitarily diagonalizing 
P yields its eigenvectors, which must span the state space. □ 
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A. 1.3 Heisenberg-Weyl Operators 

The Pauli operators have a natural generahzation from 2 dimensions to d dimensions. In 
a d dimensional space, consider the operators 

X \c) 1-^ |c+l mod d) 
Z\c) ^ e"(2Wi)|c). 

Many of the same results hold for the Heisenberg-Weyl operators as for the Pauli operators, 
and often constructions on qubits using the Paulis can be generalized to arbitrary dimension 
using the Heisenberg-Weyl operators. 

A. 2 Norms 

In this thesis, we make use of three matrix norms: the trace (or 1-) norm, the frobenius 
(or 2-) norm, and the operator (or infinity-) norm. 

Definition A. 2.1. Given a vector space V over C, the function || ■ || : V" — >■ R"*" U {0} is 
called a norm if and only if the following conditions are satisfied. 

1. II v II > e and \\v\\ = v = 0. 

2. For every v &V and c e C, || cv \\ — \c\ \\v\\. 

3. For every u,v E V, \\u + v\\ < + \\v \\ 

A.2.1 2-Norm 

The 2-norm of a vector is the usual Euclidean distance measure. It is easy to compute 
in general, and can be easily generalized to matrices, and related to the trace norm by 
inequalities. We denote the vector norm simply by | • |, rather than the || • || used for 
matrices. 

Definition A. 2. 2. For a vector v in a Hilbert space H, its 2-norm, \v\2 is defined as 

\v\2 = V {V,V) 



where (•, •) is the inner product in Ti. For our purposes, we will consider only finite 
dimensional spaces isomorphic to as a Hilbert space (with the usual inner product) . In 



50 



Approximate Randomization of Quantum States 



this case, if v is written as a complex column vector v — {vi, ...,Vd)'^, then we have the 
following equivalent expressions of \v\2- 



d \ V2 

2 



l^|2 = I |V 

— V v'^v. 

As this is the only vector norm we consider, we may omit the subscript. 

To define the 2-norm on matrices, also known as the Hilbert-Schmidt or the Probenius 
norm, we observe that an s x i matrix M can be written as a vector of length st simply by 
writing the columns of Af on top of each other rather than side-by-side, and that we can 
then use the vector definition. That is, 

11^112 = E i^^>n ■ 
\i=i...t / 

There is a convenient alternative formulation for the 2-norm of a matrix given by the 
following lemma. 

Lemma A. 2. 3. For a s x t matrix M, 

IIMII2 = VTr(MtM). 
Proof. Let ri, be the columns of M. We have 



T:(MtM) = E(^^^)^-'i 
t 

t s 



.3 

j=i k=i 

t s 

2 



j=i k=i 



and taking square roots on both sides completes the proof. □ 
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Corollary A. 2. 4. One can also diagonalize M^M, and then observe that the diagonal 
elements are the squares of the singular values of M, and thus if {Aj} are the singular 
values of M (with multiplicity), 

We also show the following simple lemma about the outer product of a vector with 
itself. 

Lemma A. 2. 5. For a finite-dimensional vector f , the 2-norm of its outer product with 
itself, II vv'^ II2 obeys 



Proof. We have 



vv'^ IL = If |o. 



ff^ 11^ = Tr(f f ^(f f''")^) 



4 



and taking square roots completes the proof. □ 

As quantum states are unit vectors, we also have the following corollary. 
Corollary A. 2. 6. For a pure quantum state \ip), we have 



12 • 



A.2.2 Infinity Norm 

The cxD-norm is also known as the operator norm, or largest singular value norm. Hay- 
den et al. worked in the infinity norm and we include it here for completeness. 

Definition A. 2. 7. For a linear operator M : Tii —>■ 7-^2, 

ll^lloo = sup—— 
veTii \V\ 
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When M is a square matrix, this is equivalent to the absolute value of the largest eigenvalue 
of M (otherwise, the largest singular value). Letting c be the largest eigenvalue, and v a 
unit eigenvector with eigenvalue c, this last condition allows us to write 

cv\ 

c(v^v)\ 
v\cv)\ 
v^Mv\ 

and thus when the v are restricted to unit vectors: 

\\M\\^ = sup\v^Mv\. (A.3) 

\v\=l 

A. 2. 3 Trace Norm 

The trace norm (also called the 1-norm) is a matrix norm. It is the norm that we are most 
interested in throughout this thesis. As it is often difficult to calculate directly, we need 
some relations between it and the other norms we have discussed. Rather than the largest 
singular value, the trace norm tells us the sum of the singular values of a matrix. It is also 
a more practically useful norm, for reasons that will be explained in this section. 

Before defining the trace norm, we need the notion of the square root and absolute 
value of a matrix. 

Definition A. 2. 8. For a diagonal matrix D, with non-negative, real diagonal elements djj, 
define \/D to be the matrix with diagonal elements -s/djj. For M a Hermitian. positive 
definite matrix, we can write M = PDP^ for some orthogonal P and diagonal D. Further, 
the elements of D are all positive. Then we define 

Vm = pVdpI 

In other words, y/M is the matrix that has the same eigenbasis as M, but with eigenvalues 
that are the square roots of those of M. 

Definition A. 2. 9. The absolute value of a matrix M is 

\M\ = VWm. 

Note that M^M is always Hermitian and positive definite, so this is well defined. For a 
square matrix M, |M| is the matrix with the same eigenvectors as M, but with eigenvalues 
that are the absolute values of those of M. 
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We are now ready to define the trace norm of a matrix. 
Definition A. 2. 10. For a matrix M, the trace norm || M \\^^ is defined as: 

II Mil,, = Tr(|M|) 



and as tlie trace of a matrix is equal to the sum of its eigenvalues, we also have 

II Mil,, = 5^|A,| 

where the {Xj} are the eigenvalues of M. 

Our interest in the trace norm is motivated by the following theorem from 

Theorem A. 2. 11. Let p and a be a density matrices and {-Em} be a POVM. The mea- 
surement outcomes for p and a are given by pm = Tr(i?mP) and Qm = Tr(£'mC") respectively. 
Then 

This theorem shows us that the trace distance between two density operators corre- 
sponds in a very real sense to their distinguishability. In particular, if two density operators 
are close in the trace norm, then the trace norm provides an upper bound on the difference 
between the outcome distributions. In the context of our work, we want to come up with 
operations on density matrices that render them indistinguishable from the totally mixed 
state (which has measurement outcomes corresponding to the uniform distribution) except 
with a small probability. 

One disadvantage of the trace norm is that it can be hard to compute. As such, we 
sometimes wish to relate it to the 2-norm and the oo-norm. The following lemma displays 
the relationships between these norms. 

Lemma A. 2. 12. For a d x d matrix M, we have 

II Mil, < II Mil,, (A.4) 

II MIL < IIMII, (A5) 

||M||„ < v^||M||2 (A.6) 

l|M||„ < d\\M\\^ (A7) 



54 



Approximate Randomization of Quantum States 



Proof. Let {Aj | i = l...d} be the singular values of M. 
(]A.4p The claim corresponds to the statement 

This is obvious, as the expansion of the right hand side includes all the terms on the left, 
and all the other terms are non-negative. 

(]A.5I) This is equivalent to 

max |Ajp < |Ajp 

i 

which is clearly true, as the left hand side is one of the terms on the right. 

( 1A.6I) Let J be the c?-dimensional vector with all entries equal to 1. Let {Aj | i = l...d} be 
the singular values of \M\ = vM^M, and A be the d-dimensional vector with zth element 
Aj. By the Cauchy-Schwartz inequality, we have: 

i(A,j)p < iAnij|2 

Expanding, we obtain: 

2 



As Aj = I Ail, taking square roots completes the proof. 



(IA.7p As ||M||^ is the largest singular value of |M|, and || M is the sum of singu- 



lar values, the result is clear. 

□ 

The following technical lemma relating the 2-norm on vectors to the trace norm is used 
in the construction of e-nets in section 13.2.11 

Lemma A. 2. 13. For two pure states ip and ip, 

II IV') - 1^) II2 > f^ll^-^ 



tr 
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Proof. For two pure states ip and if, we have the following identity (see [H], Section 9.2.3) 



^-^11,, = 2^1- 1(^1^)1'. (A. 



Also, for two pure states ip and (p, 



= 2-23?((^|^)). (A.9) 



Thus using (lA.Sp and (IA.9P we have 



> 2-2|(¥;|^)| 

^ II / P2 

— II (/9 — ?/; 1 



TllV'-V^ntr 



which establishes the lemma. □ 

One more fact that is useful to us is the unitary invariance of the trace norm. 

Definition A. 2. 14. A matrix norm || • || is said to be unitarily invariant if for every pair 
of unitary matrices U, V (of the appropriate dimension), 

||M|| = \\UMV\\. 

Lemma A. 2. 15. The trace norm is unitarily invariant. 

Proof. The trace norm is the sum of the absolute values of the singular values of a matrix. 
One can thus use the singular value decomposition to see that the trace norm is not affected 
by unitary operations. □ 
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B.l Stabilizers 

The stabilizer formalism was introduced by Daniel Gottesman [11]. It provides an alter- 
native view to that of kets and density matrices for looking at a large variety of states. It 
has been used widely in error correction. 

Definition B.1.1. An abelian subgroup of Vn is called a stabilizer group if it does not 
contain —I. 

Definition B.l. 2. Let S < Vn- Define Vs = {iIj \ M%Ij = %Ij 'i M e S}. Then Vs is the the 
set of n-qubit states that are invariant under the action of every element of 5*. We call Vs 
the space stabilized by S. 

Clearly V5 = for any group S containing —I, which explains the restriction that 
stabilizer groups must not contain —I. It is simple to verify that any linear combination of 
elements of is also in V^, and thus that Vs is a linear subspace of the space of n-qubit 
quantum states. We also see that Vs is the intersection of the eigenspaces of eigenvalue 1 
of each of the operators in S. 

For any subgroup S < Vn, can write a finite list of elements gi, ...,gk such that every 
element of S can be written as a finite product of gi, ...jgk- If gi, ■■■,gk is a minimal such 
set, we say that S is generated by gi, ..■,gk, and we write S = {gi, .■■,gk)- 

Ignoring phases, we can write each Pauli operator as a 2?T,-bit string as in Definition 
IA.1.21 Then multiplication of Paulis corresponds to addition modulo 2 of their string 
representations and multiplication of their phases. Then a set of generators gi, ...,gk must 
have string representations that are linearly independent. 
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Using this representation of generators, for a given stabihzer group S = {gi, ...,gk) we 
can write them as the rows of a A; x 2n binary matrix M. Then one can obtain all possible 
elements of 5* by taking arbitary Z2 linear combinations of the rows of M. 

Definition B.1.3. If V5 is a 1-dimensional space, then there is a single unit vector (up 
to phase) \ips) G V5 representing a unique quantum state. We call such states stabilizer 
states. 

Lemma B.1.4. If 5* < P„ is a stabilizer group, then represents a stabilizer state if and 
only if S is generated by n generators. 

Proof. This is a special case of Proposition 10.5 of [H]. □ 

Stabilizer states are a large class of states that include many interesting families, in- 
cluding the Pauli eigenvectors, and Bell states. For a discussion, see |18], Chapter 10. 

For our purposes, we are mostly interested in the action of Pauli operators on stabilizer 
states. In particular, we have the following lemmas. 

Lemma B.1.5. Given a stabilizer group G, and an arbitrary Pauli operator P, either P 
commutes with every element of G, or there is a set of generators gi, Qn of G such that 
P anti-commutes with gi, and commutes with g2, ...,gn- 

Proof. Choose an arbitrary set of generators for G, hi, hn- If P commutes with every hi, 
i = 1, ...,n, then P commutes with every element of G. Otherwise, P anti-commutes with 
at least 1 generator, without loss of generality, hi. Let gi = hi and For each i = 2, ...,n, 
let 



Lemma B.1.6. Let {ip) be an n-qubit stabilizer state with Stab(|'?/')) = G = {gi, ...,gn). 
Then for any Pauli P E Vn, have 




hi if gi commutes with P 
hihi if gi anti-commutes with P. 



Clearly, P will commute with each g^ for i = 2, n, and the lemma holds. 



□ 




Proof. The first part is easy to see; as P G G, we have P = and the inner product 
is clearly 1. For the second part, first observe that if P ^ G, then it must anticommute 



The Stabilizer Formalism 



59 



with at least one of the generators of G, including without loss of generality, gi. Then we 
have 

= -{ij\Pg,\^) 
= -{^\P\^) 

and thus (iplPl'ip) = as claimed. □ 

We observe that choosing a stabilizer group can in fact be used to pick a basis for the 
space of n-qubit states using the following corollary of Lemma IB.1.6[ 

Corollary B.1.7. US= {gi, then if T = ((-l)''^^?!, (-1)'^^2, (-l)''"^7n), S' is a 
stabilizer group, and {iPs\4't) = unless 6i = ... = 6„ = 0. 

Proof. Clearly —gi is not in 5* for any i, as otherwise {—gi){gi) = — I G 5, which is a 
violation of the definition of a stabilizer group. Thus Lemma [B.1.61 implies the result. □ 

As there are 2" such orthogonal states, this set forms a basis for pure states on n-qubits. 
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Small Bias Spaces and /c-wise 
Independence 

C.l Definitions 

Small bias spaces are the foundation of the known explicit constructions for e-randomizing 
maps. They are closely related to the existence of almost fc-wise independent spaces. These 
spaces have been well-studied ([1], [16], [3]), in computer science where they have been used 
in the derandomization of algorithms. 

Definition C.1.1 (A;- wise independence). Let iS be a sample space of n-bit binary strings. 
Let Xi be the random variable corresponding to the ith bit of a string sampled from S. 
We say that {Xi, ...X„} is fc-wise independent if for every set \W\ C [n], \W\ = k, the set 
{Xwi, ■■■,Xwk} is independent. 

Alon, Babai and Itai prove a tight lower bound on the size of the sample space S. 

Theorem C.l. 2. If the random variables Xi, X„ are fc-wise independent and not almost 
constant (that is, they do not take a single value with probability 1), then |iS| G ). 

They also show that there exists a sample space of this size. This implies that the size 
of S is polynomial only for constant k. In light of this, Naor and Naor [16] introduced the 
notion of almost k-wise independent spaces. The following definitions are given by Alon, 
Goldreich, Hastad and Peralta [3] to specify what exactly we mean by almost independence. 

Definition C.l. 3. Let S C {0, 1}" be a sample space, and let X = Xi, be sampled 

uniformly from S. 
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• S is (e, /c)-independent (in the max norm) if for any W C [n] such that \W\ = k, and 
any k-hit string a, 

Fr[Xw,,...,Xw^: = a] < e 

• S is e-away (in the trace norm) from /c-wise independence, or alternatively, almost 
fc-wise independent, if for any W C [n] such that \W\ = k, 

J2 |Pr[X;^„...,X^, = a]-2-'=| < e 

ae{0,l}'' 

Clearly if S is e-away from A;-wise independent, then it is (e, /c)-independent, and if S 
is (e, fc)-independent, then it is at most 2^^ e-away from fc-wise independent. 

In order to construct small spaces having these almost independence properties, Naor 
and Naor [16J observe that the following are equivalent: 

1. Xi, ...,Xn are uniform and independent 

2. yWcHFr [e^^^X, = l] =i 

For either of the above conditions to be satisfied, the sample space must have size 2". Naor 
and Naor [16] relax the second condition to instead require that instead the parities should 
be almost equally even and odd. Vazirani pjj defined the bias of a random variable as 
follows: 

Definition C.1.4. Let X be a binary random variable. The bias of X is 

|Pr [X = 0] - Pr [X = 1]| . 

A random variable is said to be unbiased if it has bias O.Thus the second condition above 
is that each of the random variables corresponding to the parities of subsets of Xi, 
should be unbiased. 

Definition C.1.5. The bias of a sample space S of binary strings of length n with respect 
to a string a of length n is defined to be: 

Bias„(5) = E,g5[(-l)"1 

Essentially, a is a witness to the randomness of S. If the bias with respect to some a is 
large, then the space does not behave sufficiently randomly. This motivates the following 
definition, which captures the ability of a space to act randomly, with respect to linear 
tests. That is, if every subset of the bits of S has the "nearly equally distributed parity" 
property, then the space approximates in some sense the uniform distribution. 
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Definition C.1.6. A sample space S is said to be e-biased with respect to linear tests of 
size at most k if for every a such that \a\ < k [a ^ 0), 

BiaSa(iS) < e 

That is, for every non-empty subset W G [n] of bit positions, such that \W\ < k, the bias 
of the random variable = Xi where X = Xi, X2, X„ is sampled from S (that 

is, the parity of the bits of X specified by W) satisfies 

Bias(Fvi^) < e 

When k = n, we abbreviate and say that S is e-biased. 

For clarity, we include the following toy example. Consider the set S = {00, 11}. The 
bias of S with respect to 01 is: 

12(1/2(00-01) + 1/2(11 -01)) - 1| = 

however, with respect to 11, it is: 

|2(l/2(00- 11) + 1/2(11 • 11)) - 1| = 1. 

Thus we can see that S is not (5-biased for any 6 < 1. 

As previously observed, if e = 0, the bits are completely independent, and that the size 
of the sample space must be 2". The following theorem of Vazirani [21] connects e-biased 
spaces to fc-wise independence. 

Theorem C.1.7. If S is e-biased with respect to linear tests of size at most k, then S is 
((1 — 2^'^)e, A;)-independent (max norm) and (2'^ — l)^/^e-away (in the trace norm) from 
fc-wise independence. 

Proof. This proof, from [3j , is by simple Fourier analysis and the Cauchy-Schwartz inequal- 
ity. Without loss of generality, consider random variables Xi, ...,Xk corresponding to the 
first k bit positions of strings in S. We denote by Sk their joint probability distribution. 
For each a e {0, 1}'', let 

Pa = Pr [Xi, ...,Xfc = a] 
Define the discrete Fourier transform of the sequence Pa by 

«e{o,i}'= 
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We have co — 1, and for /3 7^ 0, 

and thus by assumption \cp\ < e. By standard Fourier analysis we have: 
(this is simply the result of applying the Fourier transform twice), and 



Since Cq = 1, we have 



k-2 



-fel 



< 2-'= 1(2^^ - l)e| 
= (l-2-'=)e 

which shows the first part. For the second part, define 

p', = p.-2-'= 

and let c'^^ be the Fourier transform of the p' sequence. Then c'q — O and = C/j for /3 7^ 
and by Cauchy-Schwartz inequality we have 



a \ a / 



1/2 



which establishes the theorem. 



□ 



Conversely, if S is e-away from A;- wise independence, it is generally true only that S is 
e biased with respect to linear tests of size at most k. 
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C.2 Constructions 

Alon, Goldreich, Hastad and Peralta [3] give three constructions for e-biased spaces. We 
make use of their final construction (modified by their remark) in our exphcit construction 
of e-PQCs. This construction is based on arithmetic in GF{T') and uses 2r bits to generate 
a sample space S C {0, 1}''* with size \S\ = 2^^. The proof of Proposition IC.2.11 is an 
adaptation of the proof given in |3] for their third construction, modified to include the 
improvement of their remark. 

Construction 

Represent elements of GF{2'') as binary strings of length r. Let fi, be any basis for 
GF{2^) (for example the standard basis identifying vj = 0-'~^10'"~-'). An element of 2 G iS 
is specified by two strings of length r, say x and y. The ijth bit (with i G {0, s — G 
{1, ■■.,r}) of z is specified by: 

Zij = (vj *x')-y 

where a- 6 is the usual scalar product between vectors and * is the multiplication in OF {2"^) 
(hereafter omitted). 

Proposition C.2.1. The sample space S is ^^^-biased. 

Proof. Let x and y be elements of GF{2^) represented as binary strings of length r, and 
z{x, y) G the element of S specified by x and y. Then the (ir + j)th bit of z(x, y) is 
given by 

r-l 

z{x,y)i,j = ^{vjx')kyk- 

k=0 

We want to show that z(x, y) is unbiased with respect to strings a G Z", so fix such an a. 
Then we wish to consider {z{x,y),a). Expanding, we have 

s— 1 r 

{z{x,y),a) = 5Z 5Z y)hj 

i=0 j=l 
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and then by linearity, 



s—1 r r 

1=0 j=l k=l 
r s—1 r 

k=l i=0 j=l 
r / s—1 r \ 

k=l \i=0 j=l / u 



id] 



Observe that 



s—1 r—1 
i=0 j=0 



o^ j 



is a polynomial in x over GF{2^) (since {fi, ...,Vr} is a basis), and rewrite Eq. IC.ll as 

r— 1 / s—1 r—1 \ 
k=0 \ i=0 j=0 ) 

Now we consider the result of fixing x = Xq and ranging over all values of y. There are two 
cases to consider, the first is that that Pq(xo) 7^ 0. In this case the scalar product is evenly 
distributed over and 1 as y is uniform. The second case is that Pa(xo) = 0, in which case 
the inner product is for each value of y. However, as has degree s — it has at most 
s — 1 roots, thus 

Bias[(p«(x),?/)] = |Pr = 0] - Pr = 1]| 



< 



s - 1 



S-1 + 



s - 1 



s - 1 



□ 



C.3 Bounds on the Size of e-biased Spaces 

In proving lower bounds for the size of sets of operators that are e-randomizing, we try to 
demonstrate that these sets imply the existence of e-biased spaces. For these connections 
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to be useful, we need to have lower bounds on the size of e-biased spaces. The following 
result from [3] gives a lower bound that is also tight in the range e = 2~®*^"'\ 

Proposition C.3.1. Let e < 1/2 , n be a positive integer, and S be an e-biased space of 
n binary random variables (i.e., a distribution of strings in {0, 1}""). Let m{n,e) be the 
minimum possible size of S. Then for every such n and e, we have: 

m(n, e) > n{ min i ^2 log(l/g) ' ^" ^ ^ 



< O min<^— ,2 



n „ 71^ 



e2' ' 62(log2(n/e))2 
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